How to Do Risk Management within IT Security – Step-By-Step

Published on:
May 31, 2024
|
Reading time:
6 min.
WRITTEN BY
Jakob Krabbe Sørensen
Attorney and Lead Legal Engineer
TABLE OF CONTENTS

Want to know more about ComplyCloud AI?

Get more time and more confidence by automating your risk assessments

There is a paradox when it comes to cyberattacks and risk management:

In a report from 2023, 52% of cybersecurity professionals say they are exposed to more cyberattacks. However, only 8% of the organizations who do cyber risk assessments do these monthly. And only 40% of them do them annually.

This is concerning for two reasons:

1) Cyber criminals get ‘better’ every day. And 2) many organizations have to comply with regulations like the NIS2 Directive to build cyber resilience and protect our society.

So, let’s better the statistics above together, shall we?

It’s all about having done strong, structured footwork that makes it easy and simple for you to update your risk assessments ongoing.

You’ll be able to do that after reading this blog post
as we answer:

  • What is risk management within IT security?
  • What are the 5 steps in your risk assessment?
  • How do you speed up your risk management?

What is risk management within IT security?

In general, risk management is about identifying and handling potential threats to comply with relevant laws or frameworks and, of course, to protect the business.

These threats can be everything from financial risks, legal risks, and strategic risks to accidents and even natural disasters.

Looking through the lens of IT security, threats are seen as so if they put a risk on your organization.

When looking from a NIS2 perspective, the severity of threats is determined by the risk they pose to society and critical infrastructure, such as energy, water, food, or any other sector that other organizations or citizens are dependent on.


Whether we look through the lens of IT security or NIS2, risks are hypothetical unwanted events that pop up from ‘the outside’ and affect an entire system or the entire organization.

So, as opposed to GDPR where you assess risks within an asset and follow an asset-based approach, you do risk assessments within IT security by assessing risk scenarios.

The risk scenario-approach is also the approach we – and hopefully soon you – follow in these 5 steps in a risk assessment.

These are based on ISO 27005, which is the standard for helping organizations manage their information security, cybersecurity, and privacy protection.

5 steps in a risk assessment

We recommend this 5 step-approach when you do a risk assessment of your risk scenarios:

  • Step #1: Identify key risk factors
  • Step #2: Create a list of scenarios based on risk factors
  • Step #3: Assess the likelihood and consequence of each risk scenario
  • Step #4: Implement and document security
  • Step #5: Ensure regularly review and update risk assessments and mitigation

Step 1: Identify key risk factors

As the first thing, you should identify risk factors that could pose significant harm to the organization financially or operationally.

To kickstart this process you could for instance:

  • Do a brainstorming session with key stakeholders (such as leadership, security personnel and those responsible for key infrastructure).
  • Analyze historical data, where you consider where the organization’s past security incidents or financial harm have occurred.
  • Dive into industry-specific reports and benchmarks on common security issues.


When you’ve done this process, you’re ready to move on to the next step and dive into the risk scenarios that are linked to these key risk factors.

Step #2: Create a list of scenarios based on risk factors

In this step, you should consider an event (or sequence of events) that could result in one of your key risk factors happening in reality, and, further, what the consequences of that scenario could be.

These events could include breaches, attacks, system failures, or unauthorized access to sensitive data.

Once, you’ve made this list, you’re ready to dive into the details by looking at the consequence and likelihood of each risk factor.

Step #3: Assess the likelihood and consequence of threats

Now, it’s time to assess the consequence and likelihood of your identified risk scenarios. Maybe you already know that you can do this with the help of a risk score like this one:


You start by estimating a scenario’s likelihood as very low, very high, or somewhere in between.

You can base this estimation on historical data (organization-specific or based on industry reports), on the frequency of that risk, or by assessing the potential motivation of actors who pose a threat.

For example, if an ‘outsider’ can earn a large amount of money by stealing your organization’s property, they’re more likely to put great effort into achieving that. In that case, it might make the likelihood of that risk being realized very high.

Then, you assess the consequence. Whether this is very low, severe, or somewhere in between depends heavily upon an organization’s own context and goals.

However, in general, assessing the potential financial impact of a particular threat will help you place scenarios in consequence tiers, with the highest consequence level being those risks that would cost the organization the most money.

When you’ve assessed the likelihood and consequence of each risk scenario, you’ll end up with a complete risk score that could look like this:


As you see, some of your risk scenarios will place themselves in different color areas.

The green ones are relatively safe.

However, you need to be aware of the yellow and red ones – and ensure the proper security controls on these. This brings us to step #4.

Step #4: Implement and document security

This step is about implementing and documenting security, prioritizing the scenarios with the highest risk score, and then assessing the residual risk.

First, you should focus on security that will reduce the likelihood of a risk happening, such as encrypting data, restricting access to assets, or developing backup plans in case of supply chain disruptions.

In most cases, you cannot reduce the consequence level of a risk via security, so the effort should be in making sure the scenario does not happen in the first place.


Once, you’ve implemented the proper security, you should reassess the risk scenarios you identified in step 3.

Continue the process until the risk has been reduced to a level consistent with the organization’s risk management policy and risk appetite. Then, you should end up with a risk score that could look like this:

Step #5: Review regularly and update security

As with any other compliance work, doing risk assessment is an ongoing process. High-risk scenarios should be assessed on an ongoing basis.

Further, we recommend that you assess other risk scenarios – meaning the ‘yellow’ and the ‘green’ scenarios that you identified in step 3 – at least once or twice per year.

This is to make sure that your organization is always cyber resilient and keeps the risks within the green area.

How to speed up your risk management

Even to an IT/cybersecurity specialist like you, risk management can be overwhelming and time-consuming.

Especially, if you use Excel sheets to do your organization’s risk management.

That’s why we’ve introduced an alternative for you: ComplyCloud AI. It’s the only tool that gives you AI-powered suggestions for risk assessments.

By this, ComplyCloud AI helps you automate the descriptions of risks, threats, and security controls – and gives you confidence in conducting accurate risk assessments.

Want to know more about ComplyCloud AI?

Get more time and more confidence by automating your risk assessments

Tell me more
Published:
May 31, 2024
Category:
RISK MANAGEMENT